KES Live Cutover Observations

Route Checks Performed

Correct gateway route family used throughout:

Checked routes:

GET /api/v1/kes/orchestrator/cases?page=1&pageSize=1
GET /api/v1/kes/orchestrator/control-plane
GET /api/v1/kes/orchestrator/process-map
GET /api/v1/kes/orchestrator/suggestions?stakeholderId=11111111-1111-4111-8111-111111111111&limit=1
unauthenticated PUT /api/v1/kes/orchestrator/process-map
authenticated PUT /api/v1/kes/orchestrator/process-map
authenticated POST /api/v1/kes/orchestrator/cases

Auth behavior stayed consistent with the verified parity path:

This window used the same proven auth contract shape as Sprint 94.

Environment caveat:

full svc-auth still could not be used in this local Docker-backed execution because of the pre-existing native sharp runtime mismatch
/auth/me was provided by a contract-compatible auth responder so the KES/gateway auth path could be exercised without changing auth semantics

Post-cutover responses matched the expected first-cut KES runtime behavior:

No gateway-specific route-shape issue appeared. No auth-path regression appeared. No KES-runtime mismatch appeared in the checked set.

This cutover validates first-cut KES extracted-runtime parity only.

It does not prove that these pieces have become KES-local:

Those remain shared backbone concerns outside the first-cut KES ownership boundary.

No blocking anomaly was found.

Observed differences remained expected runtime noise only:

Rollback was not needed.

Rollback path remained simple during the window:

keep old colocated KES host alive on :4020
restart only the API with KES_ORCHESTRATOR_SERVICE_URL unset or pointed back to http://localhost:4020

That rollback method was preserved even though the window stayed on svc-kes.